WordPress Plugin Vulnerabilities

Classified Listing – Classified ads & Business Directory Plugin < 5.0.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Listing Description

Description

The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
classified-listing
Fixed in 5.0.4

References

CVE
CVE-2025-7711
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d9b10db9-0c7c-4f13-9d98-6d407446cfb8

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Kishan Vyas
Verified
No
WPVDB ID
d36804b5-5ec2-4e6f-809d-db0cae33c14f

Timeline

Publicly Published
2025-11-17 (about 5 months ago)
Added
2025-11-17 (about 5 months ago)
Last Updated
2025-11-17 (about 5 months ago)

Other

Published
Title
Published
2025-01-29
Title
Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.1 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-11-25
Title
InPost Gallery < 2.1.4.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template
Published
2026-02-10
Title
Custom Block Builder – Lazy Blocks < 4.2.1 - Contributor+ Remote Code Execution
Published
2025-10-31
Title
Advanced Ads < 2.0.13 - Unauthenticated Limited Code Execution
Published
2025-08-14
Title
Dynamic Pricing With Discount Rules for WooCommerce < 4.5.10 - Authenticated (Shop Manager+) Arbitrary Code Execution